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Abstract. Linearizability of concurrent data structures is usually proved by monolithic 
simulation arguments relying on the identification of the so-called linearization points. 
Regrettably, such proofs, whether manual or automatic, are often complicated and scale 
poorly to advanced non-blocking concurrency patterns, such as helping and optimistic 
updates. 

In response, we propose a more modular way of checking linearizability of concurrent 
queue algorithms that does not involve identifying linearization points. We reduce the 
task of proving linearizability with respect to the queue specification to establishing four 
basic properties, each of which can be proved independently by simpler arguments. As a 
demonstration of our approach, we verify the Herlihy and Wing queue, an algorithm that 
is challenging to verify by a simulation proof. 


1. Introduction 

Linearizability nm is widely accepted as the standard correctness requirement for concur¬ 
rent data structure implementations. It amounts to showing that each method provides 
the illusion that it executes atomically at some point after its call and before its return. 
Typically, what each method is expected to do (atomically) is given in terms of a sequential 
specification. For instance, an unbounded queue must support the following two methods: 
enqueue , which extends the queue by appending one element to its end, and dequeue , which 
removes and returns the first element of the queue. 

The standard way to prove that a concurrent queue implementation is linearizable is to 
show that it is simulated by the idealised atomic queue implementation, which we take to be 
the specification of the queue. For example, using forward simulation m, we have to define 
a relation S relating the state of the implementation to the state of the specification, and 

2012 ACM CCS: [Theory of computation]: Semantics and reasoning—Program reasoning—Program 
verification; [Software and its engineering]: Software organization and properties—Software functional 
properties—Formal methods—Software verification. 
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to show that (1) the initial states of the implementation and the specification are related 
by S, and (2) starting from 5-related implementation and specification states (<Tj mp i, er spec ), 
if the implementation takes a step and goes to state <r[ |, the specification can also take a 

matching step (or stutter) and result in some state er' pec that is S'-related to cr[ The most 
important part of these proofs is to decide which of the implementation steps are matched by 
actual steps of the specification code and which by stuttering moves. For each method of the 
implementation, the step during its execution that in the simulation proof is matched by the 
atomic step of the corresponding method of the specification is known as the linearization 
point. A well-established approach (e.g. mia ei a E naira using) is therefore to identify 
these linearization points, which when performed by the implementation change the state 
of the specification, and to then construct a suitable forward or backward simulation. 

While for a number of concurrent algorithms, spotting the linearization points may be 
straightforward (and has even been automated to some extent [19]). in general specifying the 
linearization points can be very difficult. For instance, in implementations using a helping 
mechanism, they can lie in code not syntactically belonging to the thread and operation in 
question, and can even depend on future behavior. There are numerous examples in the 
literature, where this is the case; to mention only a few concurrent queues: the Herlihy 
and Wing queue m, the optimistic queue m, the elimination queue [16j, the baskets 
queue HB, the flat-combining queue [Tj. 


The Herlihy and Wing Queue. 

1: var q.back : int 4 — 0 
2: var q.items : array of val 
<r- {NULL, NULL,. . .} 

3 : procedure enq(x : val ) 

4 : (i IN C(q.back)) > E\ 

5 : (q.items [z] 4 — x) > E2 


6: procedure deq() : val 
7: while true do 

8: (range <— q.back — 1) 

9 : for % = 0 to range do 

10: ( x <- SWkP(q.items[i], NULL)) 

11: if x 7^ NULL then return x 


Figure 1: Herlihy and Wing queue [10] . 


> D 1 

> T>2 


In this paper, we focus on the Herlihy and Wing queue [TOj (henceforth, HW queue for 
short) that illustrates nicely the difficulties encountered when defining a simulation relation 
based on linearization points. We recall the code of the queue as given in fTO] in Figure [TJ 
The queue is represented as a pre-allocated unbounded array, q.items , initially filled with 
NULLs, and a marker, q.back, pointing to the end of the used part of the array. Enqueuing 
an element is done in two steps: the marker to the end of the array is incremented (E\), 
thereby reserving a slot for storing the element, and then the element is stored at the 
reserved slot (fq>). Dequeue is more complex: it reads the marker (D±), and then searches 
from the beginning of the array up to the marker to see if it contains a non- NULL element. 
It removes and returns the first such element it finds (D 2 ). If no element is found, dequeue 
starts again afresh. Each of the four statements surrounded by () brackets and annotated 
by E % or Di for i = 1,2 is assumed to execute atomically. 

We now show that verifying this algorithm by Ending its linearization points is diffi¬ 
cult. Consider the following execution fragment, where • denotes context switches between 
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concurrent threads, 

(t : Ex) ■ {u : E{) ■ (y : Di,D 2 ) ■ (u : E 2 ) • (t : E 2 ) ■ (w : D{) 

which have threads t and u executing enqueue instances, v and w executing dequeue in¬ 
stances. At the end of this fragment, v is ready to dequeue the element enqueued by u, and 
iu is ready to dequeue the element enqueued by t. In order to define a simulation relation 
from this interleaving sequence to a valid sequential queue behavior, where operations hap¬ 
pen in isolation, we have to choose the linearization points for the two completed enqueue 
instances. The difficulty lies in the fact that no matter which statements are chosen as 
the linearization points for the two enqueue instances, there is always an extension to the 
fragment inconsistent with the particular choice of linearization points. For instance, if we 
choose (t : Ei) as the linearization point for t, then the extension 

(v : D 2 , return) • (z : D\, Do, return) 

requiring ids element be enqueued before that of t’s, will be inconsistent. If, on the other 
hand, we choose any statement which makes u linearize before t, then the extension 

(w : D 2 , return) • (z : D\, D 2 , D 2 , return) 

requiring the reverse order of enqueueing will be inconsistent. This shows not only that 
finding the correct linearization points can be challenging, but also that the simulation 
proofs will require to reason about the entire state of the system, as the local state of one 
thread can affect the linearization of another. 

Our Contribution. In our experience, this and similar tricks for reducing synchronization 
among threads so as to achieve better performance, make concurrent algorithms extremely 
difficult to reason about when one is constrained to establishing a simulation relation. How¬ 
ever, if two methods overlap in time, then the only thing enforced by linearizability is that 
their effects are observed in some and same order by all threads. For instance, in the ex¬ 
ample given above, the simple answer for the particular ordering between the linearization 
points of the enqueue instances of t and u, is that it does not matter! As long as enqueue 
instances overlap, their values can be dequeued in any order. 

Building on this observation, our contribution is to simplify linearizability proofs by 
modularizing them. We reduce the task of proving linearizability to establishing four rel¬ 
atively simple properties, each of which may be reasoned about independently. In (loose) 
analogy to aspect-oriented programming, we are proposing “aspect-oriented” linearizability 
proofs for concurrent queues, where each of these four properties will be proved indepen¬ 
dently. 

So what are these properties? A correct (i.e., linearizable) concurrent queue: 

(1) must not allow dequeuing an element that was never enqueued; 

(2) must not allow the same element to be dequeued twice; 

(3) must not allow elements to be dequeued out of order; and 

(4) must correctly report whether the queue is empty or notQ 

Although similar properties were already mentioned by Herlihy and Wing [10], we 
for the first time prove that suitably formalized versions of these four properties are not 
only necessary, but also sufficient, conditions for linearizability with respect to the queue 
specification, at least for what we call purely-blocking implementations. This is a rather weak 

^The HW queue trivially satisfies the fourth property as it never reports that the queue is empty. 
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requirement satisfied by all non-blocking implementations, as well as by possibly blocking 
implementations, such as HW deq() method, whose blocking executions do not modify the 
global state. 

Paper Outline. The rest of the paper is structured as follows: Section [2] recalls the def¬ 
inition of linearizability in terms of execution histories. Section [3] develops an alternative 
characterization of legal queue behaviors, which is useful for our proofs. Section [4] formal¬ 
izes the aforementioned four properties, and proves that they are necessary and sufficient 
conditions for proving linearizability of queues. Section [5] returns to the HW queue example 
and presents a detailed manual proof of its correctness by checking each of the properties 
separately. Section [6] shows how the checking of these four properties can be automated by 
reducing them to non-termination of certain parametric programs. Section [7] explains how 
we adapted Cave |T9j to prove these parametric programs non-terminating for the case of 
the HW queue. Finally, in Section [8] we discuss related work, and in Section [9] we conclude. 

Differences from the Conference Paper. This article is an extended version of our 
CONCURT3 conference paper [8], containing all the proofs of the lemmas and theorems 
mentioned in the paper. Since the conference, we have also implemented a checker for the 
VRepet property, and have expanded the discussion of automation in Sections [6] and [7] to 
cover the verification of VRepet. 

2. Technical Background 

In this section, we introduce common notations that will be used throughout the paper and 
recall the definition of linearizability. 

For any function / from A to B and A! C A, let f(A' ) = f {/(a) | a £ A'}. Given two 
sequences x and y, let x ■ y denote their concatenation, and let x ~ pe rm y hold if one is a 
permutation of the other. We use x(i) to refer to the i th element in sequence x, and x(i : j) 
to refer to the subsequence of x containing all elements from position i to j inclusive. We 
write x\A for the subsequence of x containing only elements in the set A. 

Behaviors. A data structure T> is a pair (D, Sd), where D is the data domain and Ex> is the 
method alphabet. An event of V is a quadruple ( uid,m,di,d 0 ), for a unique event identifier, 
uid £ N, a method m £ Hp, and data elements di,d a £ D. Intuitively, ( uid,m,di,d 0 ) 
denotes the application of method m with input argument di returning the output value 
d Q . Throughout the paper, we will assume that the uid components of events are globally 
unique. A duplicate-free sequence over events of T> is called a behavior. The semantics of 
data structure V is a set of behaviors, called legal behaviors. 

The method alphabet Eq of a queue is the set {enq, deq}. We will take the data domain 
to be the set of natural numbers, N, and a distinguished symbol NULL not in N. Events are 
written as enq mrf (x), short for (uid, enq, x, X), and deq md (x), short for (uid, deq, X, x). For 
consiceness, we will often also omit the uid superscripts. Events with enq are called enqueue 
events, and those with deq are called dequeue events. We use Enq and Deq to denote all 
enqueue and dequeue events, respectively. 

We will use a labelled transition system, LTSq, to define the queue semantics. The 
states of LTSq are sequences over N, the initial state is the empty sequence s. There is a 
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transition from q to q' with action a, written q A q', if (i) a = enq(x) and q' = q ■ x, or (ii) 
a = deq(x) and q = x ■ q', or (Hi) a = deq(NULL) and q = q' = e. 

A run of LTSq is an alternating sequence qohqi ■ ■ ■ InQn of states and queue events such 

that for all 1 < i < n, we have qt -1 -L qi. The trace of a run is the sequence l\ ■ ■ ■ l n of the 
events occurring on the run. A queue behavior b is legal iff there is a run of LTSq with trace 
b. In what follows, we will consider only legal queue behaviors, and hence usually omit legal, 
unless explicitly stated otherwise. Let Q denote the set of all (legal) queue behaviors. 

Histories and Linearizability. Each event a = (uid , m, di , d Q ) generates two actions: the 
invocation of a, written as inv(a), and the response of a, written as res(a). We will also 
use m^ ld (di) and mf ld (d 0 ) to denote the invocation and the response actions, respectively. 
When a particular method m does not have an input (resp., output) parameter, we will 
write mf ld (resp., mf ld ) for the corresponding invocation (resp., response) action. We will 
also often omit the superscripts, when they are not important. 

In this paper, a history of P is a sequence of invocation and response actions of T>. We 
will assume the existence of an implicit identifier in each history c that uniquely pairs each 
invocation with its corresponding response action, if the latter also occurs in c. A history c 
is well-formed if every response action occurs after its associated invocation action in c. We 
will consider only well-formed histories. An event is completed in c, if both of its invocation 
and response actions occur in c. An event is pending in c, if only its invocation occurs in c. 
We define remPending (c) to be the sub-sequence of c where all pending events have been 
removed. An event e precedes another event e' in c, written e -< c e!, if the response of e 
occurs before the invocation of e' in c. For event e, Before(e , c) denotes the set of all events 
that precede e in c. Similarly, After(e, c ) denotes the set of all events that are preceded by 
e in c. Formally, 

Before(e,c ) = f {e'\e'< c e} and After(e,c ) {e'\e-< c e'}. 

A set of events A is closed under -< c iff whenever a £ A and b -< c a, then b € A. 

History c is called complete if it does not have any pending events. For a possibly 
incomplete history c, a completion of c, written c, is a well-formed complete history such 
that c = remPending(c ■ c') where c! contains only response actions. Let Compl(c) denote 
the set of all completions of c. 

A history is called sequential if all invocations in it are immediately followed by their 
matching responses, with the possible exception of the very last action which can only be the 
invocation of a pending event. We identify complete sequential histories with behaviors of T> 
by mapping each consecutive pair of matching actions in the former to its event constructing 
the latter. A sequential history s is a linearization of a history c, if there exists c £ Compl(c ) 
such that c ~ pe rm s and whenever e -<g e' we have e -< s e!. 

Definition 2.1 (Linearizability [10]). A history c is linearizable with respect to a data 
structure D if there exists a linearization of c that is a legal behavior of T>. A set of histories 
C is linearizable with respect to T> if every c £ C is linearizable with respect to T>. 

An execution trace is a sequence of instruction labels coupled with thread identifiers 
executing the instruction. For instance, (t : i ) denotes the execution of instruction with the 
unique label i by thread t. An instruction label is the entry point of method m, written 
enter(m), if it is the label of the first instruction of m. Similarly, an instruction label is 
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an exit point of m, written exit(m), if it is the label of an instruction that completes the 
execution of rn. Each execution trace r induces a history h(r) which is obtained by replacing 
each (t : enter(m)) with each (t : exit(m)) with m t r uid (d 0 ), and removing the 

remaining symbols. We assume that states of an execution trace contain enough information 
to deduce the values of di and d Q associated with each entry and exit point. To illustrate 
this definition, consider the following execution trace from the introduction: 

(t : Ei)-(u : Ei)-(v : D\,D 2 )-{u : E 2 )-(t : E 2 )-{w : D\)-{v : D 2 , return)(z : D\, D 2 , return). 
The history corresponding to this trace is: 

enq^(x) • enqV(y) • deq^ • deq™ • deq^x) • deq z ■ deq z (y) 

where we have used the thread identifiers without subscripts as unique event identifiers. 
After completing the history with responses enq(. and enq“ of the pending enqueues, and 
removing the pending invocation deq™, the history may be linearized as follows: 

enq-(x') • enq* • enq“(y) • enq“ • deq, u • deq^(x) • deq z • deq”(y) 

and corresponds to the (legal) behavior enqQx) • enq u {y) • deq^(x) • deq z (y). An execution 
trace is complete if its induced history is complete. An implementation is identified with 
the set of execution traces it generates. When clear from the context, we will refer to the 
induced history of an execution trace as a history of the implementation. 

3. Alternative Characterization of Legal Queue Behaviours 

We start with some terminology. Let c be a history. Enq(c) denotes the set of all enqueue 
events invoked (and not necessarily completed) in c. Similarly, Deq{c ) denotes the set of all 
dequeue events invoked in c. When c is a complete history, we define the value of an event 
e, written Val c (e), to be the value enqueued or dequeued by that event. 

We find it useful to express the semantics of queues in an alternative formulation. 

Definition 3.1. A queue behavior b has a sequential witness if there is a total mapping 
/x seq from Deq(b) to Enq(b) U {_L} such that 

(i) /r seq (d) = e implies Valb(d) = Valb(e), 

(ii) ia seq (d) = _L iff Vali>(d ) = NULL, 

(hi) Vseq(d) = Pseq(d 1 ) ± _L implies d = d', 

(iv) n S eq(d) = e implies e -<b d, 

(v) e -< b ti S eq{d') implies /i“ q (e) < b d', 

(vi) fi S eq(d) = T implies \{e € Enq(b ) | e -< b <01 = \{d' € Deq(b ) | d’ -< b d A Hseq(d') / T}|. 
To illustrate this definition, consider the following legal queue behavior: 

b = f enq*(x) • enq“(y) ■ deq°(x) • deq z (y) • deq“(NULL) 

We can pick // seq such that fi seq (v) = t, ia seq (z ) = u and fi seq (w) = _L. The constraints of 
Dehnition 13. II are satisfied because: 

• t -<b u implies //~ q (t) = v -< b z = n~ eq (u). 

• \{e € Enq(b) \ e ^}| = \{t,u}\ = \{v,z}\ = \{d' <E Deq(b) \ d! -< b w A fJ, seq (d') / _L}|. 
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To show that a behavior is legal iff it has a sequential witness, we need a number of 
auxiliary definitions and lemmas. 

We say that two queue behaviors b\ and 62 are observationally equivalent, written 
b\ = 0 bs b‘ 2 , if the sequences of enqueue events and those of dequeue events agree in both 
behaviors. Formally, b\ = D b s 62 iff &i|Enq = &2|Enq and 6i|Deq = &2|Deq. 

We define a special subset of queue behaviors, the canonical subset Q c , in which each 
enqueue event is immediately followed by its matching dequeue event, in case it exists. 
Formally, the canonical queue behaviors are given by the following regular expression: 

Qc ((deq(NULL))* • E*eN enq(x) • deq(x))* • (deq(NULL))* • (E^eN en q(®))* 

A run r of LTSq is called canonical if the trace of r is canonical. 

Note that every canonical behavior is legal. Consider a canonical behavior b £ Q c and 
split it into b = b' ■ enq(ui)enq(r>2)... enq(u n ) such that b' does not end with an enq. This 
behavior can be generated by the following run of the LTSq. 

((e deq(NULL))* e ErreN enc l( x ) x deq(x))* ( e deq(NULL))* e 
enq(ui)uienq(u 2 )(fiU 2 ) • • • (vi ... v n -i)enq(v n )(vi ... v n -iv n )) 

As the following result shows, canonical queue behaviors represent all legal behaviors, 
up to observational equivalence. 

Lemma 3.2. Let b £ Q be a legal queue behavior. Then there exists a canonical behavior 
b c £ Q c such that b = Q b s b c . 

Proof. By induction on the length of b. The base case, where b = e trivially satisfies the 
condition since e £ Q c . Now assume the claim holds for b, and we have to prove it for b ■ a. 
By the induction hypothesis, there is a canonical behavior b c = Q b s b. We observe that since 
b c and b are legal and b c = 0 b s b, their runs end in the same final state. Therefore, the fact 
that b ■ a is legal implies that b c ■ a is also legal. We proceed by a case analysis of a. 

• a = enq(.x). Then b c ■ enq(x) is trivially also canonical. 

• a = deq(NULL). We know that b c cannot end in an enqueue event, or else the queue would 
not be empty. Therefore b c ■ deq(NULL) is canonical. 

• a = deq(y), with y / NULL. We know that b c must be of the form b\ ■ enq(y) • b\ where b\ 

does not end in a enqueue event and b\ contains only enqueue events. Then, we take the 
behavior b\ ■ enq(y) • deq(y) • 6 ^, which is both canonical and observationally equivalent 
to b ■ deq(y). □ 

Moreover, canonical behaviors have a straightforward sequential witness. 

Lemma 3.3. Every canonical behavior b £ Q c has a sequential witness Hb- 

Proof. Let b be a canonical behavior. We construct in, by mapping all deq(NULL) to _L, 
and each deq(x) with x £ N to its immediate predecessor. By the definition of canonical 
behavior, each deq(.x) in b is immediately preceded by enq(x). Thus, the first four conditions 
are trivially satisfied. If enq(y) -<5 enq(.x) and deq(x) is in b, then by the definition of 
canonical behavior, we must have 

b = b\ ■ enq (y) ■ deq (y) ■ 62 • enq(x) • deq(x) • 63 

for some sequences 61 , 62 , 63 . This implies that condition (v) is satisfied. Finally, if 6 = 
61 • deq(NULL) • 62 , consider the sequence b[ obtained by projecting out all deq(NULL) events 
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from b\. That is, 

b[ = f 6 i|(EnqUDeq\{deq(NULL)}) 

Then, by the definition of canonical behavior, we have 6 ( £ (Sign enc l( x ) ' deq(x))*. In 
other words, b\ has an equal number of enq and deq symbols, such that by construction 
yb( deq(x)) = enq(x) / T. This implies that condition (vi) is satisfied. □ 

Lemma 3.4. If b = b\ ■ deq(x) • 62 is a legal queue behavior, then enq(x) -<b deq(x). 

Proof. By the definition of LTSq, deq(x) can happen at a state q if q = x ■ q' for some 
sequence q'. Again by definition, all runs of LTSq reaching q must have a transition with 
label enq(x); otherwise, x cannot occur in q. Since all legal behaviors have a corresponding 
run, enq(.x) -<b deq(x) must hold. □ 

Next, we show that observationally equivalent legal queue behaviors cannot reorder 
their deq(NULL) events. 

Lemma 3.5. If b and b' are observationally equivalent legal queue behaviors, then b(i) = 
deq(NULL) iffb'(i) = deq(NULL). 

Proof. Since = 0 {, s is a symmetric relation, we prove only one direction. (=>) Consider the 
subsequences b e = 6(1 : i — l)|Enq, bd = 6(1 : i — l)|Deq, and their duals b' e and b' d for b'. 
Note that each enqueue event increases by one the length of the sequence representing the 
state, each dequeue event decreases by one the length of the sequence representing the state, 
and deq(NULL) can only happen when the length of the sequence is zero (q = e). Then, the 
number of enqueue events in 6 e and the number of non-NULL dequeue events in bd must be 
equal; let us call it k. 

Assume first that bd is a proper prefix of b' d . This implies that b' e is a proper prefix of 6 e . 
The ( \bd\ + l) th symbol in b' d is deq(NULL) because 6 = 0 b s b'. Then, the number of non-NULL 
dequeue events preceding this deq(NULL) is k, but the number of enqueue events preceding 
it, contained in b' e , which is a proper prefix of 6 e , is strictly less than k. This contradicts 
the assumption that b' is a legal queue behavior. The case where 6 e is a proper prefix of b' e 
follows a similar argument. 

Now assume that b' d = bd and b' e = b e . Further assume b'(i) = enq(x) for some x £ N. 
Because 6 = 0 bs b', the next dequeue event in b' is necessarily deq(NULL). This, however, 
contradicts that the fact that b 1 is legal, because in a legal behavior deq(NULL) cannot 
immediately follow an enqueue event. Therefore b'(i) = deq (y) for some y and because 
6 = 0 bs b' , we have that y = NULL, as required. □ 

Next, we show that given two observationally equivalent behaviors and a sequential 
witness for the first behavior, we can build a sequential witness for the other. 

Lemma 3.6. Let 6 = 0 bs b' and /ib be a sequential witness for 6 . Then, there exists a 
sequential witness for b'. 

Proof. Let n denote a permutation from 6 to b' such that deq(NULL) events are not shuffled. 
That is, 7 r(i) = j means that b(i) = b'(j) and whenever b(i) = deq(NULL), we set ir(i) = i 
By the definition of obs-equivalence and Lemma 13.51 this permutation is well-defined. Note 
that because 6 = 0 b s b', the ordering among dequeue events is preserved by n. That is, 
if b(i),b(j) £ Deq and i < j, then ir(i) < ir(j). The same holds for the ordering among 

enqueue events. We now pick the mapping fi(i) = f 7 r(/ife( 7 r _ 1 (i))) and show that it is a 
sequential witness for b'. Conditions (i) and (ii) are satisfied by construction. Condition 
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(iii) is satisfied because it is a bijection. Condition (iv) is satisfied by Lemma 13.41 and by 
the construction of /j. Condition (v) is satisfied by because n is a bijection and preserves 
the ordering between dequeues and enqueues. Condition (vi) is satisfied by Lemma 1331 □ 

Lemma 3.7. Let b be a queue behavior with a sequential witness /.i. 

(1) Let d and e be dequeue and enqueue events such that /i(d) = e, and let b' be the behavior 
obtained after removing both d and e from b. Then, the restriction of g. to b' is a 
sequential witness for b'. 

(2) Let d = deq(NULL), and b' by obtained by removing d from b. Then, the restriction of 
[i to b' is a sequential witness for b'. 

Proof. In both cases, let us denote the restriction of ju on b' with //; we have to show that 
// satisfies the six conditions of a sequential witness. 

(1) Since // is a restriction, it satisfies conditions (i), (ii) and (iii). Observe that for 
any two events ei and e 2 in b' , we have ei -<b e 2 iff ei -*<&' & 2 - This implies that yl satisfies 
conditions (iv) and (v). Finally, we have to show that there cannot be a dequeue event 
d' = deq(NULL) such that e -<b d' -<h d. Assume the contrary, then since the number of non- 
NULL dequeue events and the number of enqueue events preceding d' must be equal, there 
must be a dequeue event d y = deq(y) whose matching e y = enq(y) comes after d'. This 
implies that d y -<b d! -<b &y and y(d y ) = e y , contradicting condition (iii). Thus, condition 
(vi) is also satisfied by y!. 

( 2 ) As in the previous case, conditions (i) to (v) are satisfied by /a 1 . The condition 

(vi) is satisfied because removing d' does not affect the cardinality of either set; thus, if 
d! = deq(NULL) is in b' , then the number of enqueue events and non-NULL dequeue events 
that precede d! in b' is the same as those that precede d! in b. □ 

Lemma 3.8. Let b be a queue behavior and let y be a sequential witness for b. Then, 
there exists a canonical behavior b c such that b = a b s b c and for all i, b(i) = deq(NULL) iff 
b c (i) = deq(NULL). 

Proof. Let can (b,y) denote the canonical behavior of b whose sequential witness is y. We 
will prove, by induction on the length of b, that can is a well-defined total function. 

For the base, consider all sequences b of length 1 or less which have a sequential witness. 

• If b = e, then the empty mapping is the only sequential witness for 6 ; by definition, b is 
a canonical behavior. The second condition is vacuously satisfied. 

• If b = deq(NULL), then y which maps deq(NULL) to T is the only sequential witness for 6 ; 
by definition, b is a canonical behavior. Since b c = 6 , the second condition is satisfied. 

• If b = enq(.x) for some x £ N, then the empty mapping is the only sequential witness for 
b; by definition, b is a canonical behavior. Since there is no deq(NULL) event, the second 
condition is vacuously satisfied. 

Observe that the sequence b = deq(x) of length 1 cannot have a sequential witness, because 
any sequential witness has to map deq(x) to a matching enqueue which does not exist. 

Assume that the claim holds for all sequences of length k or less. Let b be a sequence 
of length k + 1 and y be a sequential witness for b. Consider the two sub-sequences of 
b , bd = 6|Deq and b e = 6|Enq, with lengths and n e , respectively. Observe that b is an 
interleaving of bd and b e . In particular, 6(1) is either 6^(1) or 6 e (l). We will do a case 
analysis on the possible values for d = 6 ^( 1 ). 

• d = deq(NULL). Then, we set b c = can(6, n) = d - can(6', //), with b' obtained by removing 
the first deq(NULL) from 6 (note that this is d) and g! obtained by restricting /i to b'. By 
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Lemma Ezi y' is a sequential witness for b'. By inductive hypothesis, b' c = can (b',y') is 
a canonical behavior observationally equivalent to b'. Since b' c is a canonical behavior, so 
is b c = d ■ b' c = deq(NULL) • b' c . Since b' c = 0 bs b', we have 6 c |Deq = d ■ |D®q = 6 ^ = 6 |Deq, 
6 c |Enq = b e = 6 |Enq. Thus, b c = 0 b s 6 . The second condition is satisfied, because both b 
and b c have deq(NULL) in their first position and b' c preserves the positions of NULL-dequeue 
events by inductive hypothesis. 

• d = deq(.x) for some x £ N. By the assumption that y is a sequential witness for b 
implies that there exists e = enq(x) such that y{d) = e (conditions (i) and (ii)) and 
d -<b e (condition (iv)). Then, e = b e ( 1) = enq(x) must hold. Assume contrary, that is 
b e ( 1) = enq(y) for some y / x. As noted above, 6(1) is either 6^(1) or 6 e (l). If the former, 
then d -<b e cannot hold since d is minimal with respect to violating condition (iv) 
which contradicts the assumption that y is a sequential witness for 6 . If the latter, that is 
e! = 6 ( 1 ) = 6 e (l) = enq(y), then e! -<b e, and either there is no d' = deq(y) or if it exists, 
d -<b d', violating condition (v) which contradicts the assumption that y is a sequential 
witness for 6 . Thus, e = 6 e (l). We set 6 C = can( 6 , y) = e ■ d ■ can( 6 , , / u'), with b' obtained 
by removing d and e from 6 and y' to be the restriction of y on b'. By Lemma 13.71 y' 
is a sequential witness for 6 '. By inductive hypothesis, b' c = can( 6 ',//) is a canonical 
behavior obs-equivalent to b'. Since b' c is a canonical behavior, so is 6 C = e ■ d ■ b' c = 
enq(x) • deq(x) • b' c . Finally, since b' c = 0 b s 6 ' , we have 6 c |Deq = d ■ 6 (.|Deq = bd = 6 |Deq and 
6 c |Enq = e • 6 '|Enq = b e = 6 |Enq. Thus, 6 C = 0 bs 6 . By the proof of Lemma Iih7l we know 
that for any d! = deq(NULL) either both d and e precede it in 6 or neither does. Since d 
is the first event in bd, the latter cannot happen; i.e. d -<b d' and e -<b d'. This implies 
that the position of d' is the same in b c and e • d ■ b' c by the inductive hypothesis. Thus 
the second condition is satisfied. □ 


Lemma 3.9. Let b c be a canonical queue behavior. Let b be a queue behavior such that 
b =ob s b c , for every deq(x) in b there is enq(x) -<b deq(x), and for every i, b(i) = deq(NULL) 
iff b c (i) = deq(NULL). Then, 6 is legal. 

Proof. We prove by induction on the length of 6 that 6 has a run in LTSq. The base case 
where 6 = £ is trivial. Assume that the claim holds for all sequences of length k or less. 
Let 6 be a sequence of length k + 1. By the inductive hypothesis, there is a run r in LTSq 
with trace 6(1 : k). Let q denote the state reached after this run. It is enough to show that 


b(k+ 1 ) 


> q' , for some q'. We do a case analysis on 


there is a transition in LTSq of the form q 

b(k + 1). 

enq(fc) 

• b(k + 1) = enq(x). Then the desired transition is q -—> q ■ x = q'. 

• b(k + 1) = deq(x) = d. By the assumption on 6 , e = enq(x) -<b d. By observational 
equivalence to 6 C , if d = ( 6 |Deq\ {deq(NULL)})(i) for some i, then e = 6 |Enq(i). Together 
they imply that there are exactly i — 1 many non-NULL dequeue events and at least i many 
enqueue events that precede d in 6 . This in turn implies that q must be of the form x ■ q'. 

Then the desired transition is x ■ q' — q'. 

• b(k+l) = deq(NULL) = d. By the assumption on 6 and 6 C , we have b c (k + 1) = deq(NULL). 
This implies that the number of enqueue events that occur in 6 C (1 : k) is equal to the 
number of non-NULL dequeue events in 6 C (1 : k). Since 6 = 0 bs 6 C , for any dequeue event 
d! we have d! -<b c d iff d' -<b d. These in turn imply that for any enqueue event e we 


have e -<b c d iff e -<b d. Overall, we then have q = e and e 
transition. 


deq(WULL) 


A £ = q 


•' is the desired 


□ 
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Theorem 3.10. A queue behavior b is legal iff b has a sequential witness. 

Proof. (=>■) Let b be a legal queue behavior. By Lemma 13.21 there is a canonical behavior 
b c such that b c = 0 bs h. By Lemma 13.31 b c has a sequential witness. By Lemma 13.61 b has a 
sequential witness. 

(<i=) Let b be a queue behavior and n be a sequential witness for b. By Lemma 13.81 and 
Lemma [3791 b is legal. □ 


4. Conditions for Queue Linearizability 

Generic Necessary and Sufficient Conditions. We start by reducing the problem 
of checking linearizability of a given history, c, with respect to the queue specification to 
finding a mapping from its dequeue events to its enqueue events satisfying certain conditions. 
Intuitively, we map each dequeue event to the enqueue event whose value the dequeue 
removed, or to nothing if the dequeue event returns NULL. We say that the mapping is safe 
if it pairs each deq event with an enq event such that the value removed by the former 
is inserted by the latter, implying that elements are inserted exactly once and removed at 
most once. A safe mapping is ordered if it additionally respects the ordering of events in c. 
Finally, an ordered mapping is a linearization witness if all NULL returning deq events see 
at least one state where the queue is logically empty. Below, we formalize these notions. 

Definition 4.1 (Safe Mapping). A total mapping Match from Deq(c) to Enq(c) U {_L} is 
safe for complete history c if 

(1) for all d £ Deq(c), if Matched) _L, then Val c (d) = Val c (Match(d )); 

(2) for all d £ Deq(c), Match(d) = _L iff Val c (d) = NULL; and 

(3) for all d. d' £ Deq(c), if Matched ) = Match{d') A, then d = d'. 

Definition 4.2 (Ordered Mapping). A safe mapping Match for c is ordered if 

(1) for all d £ Deq(c), we have d -f< c Matched)-, and 

(2) for all e £ Enq(c) and d' £ Deq(c), if e -< c Match(d'), then there exists d £ Deq(c) such 

that e = Matched) and d! 7 K c d. 

Intuitively, the first condition states that an enqueue event cannot start after the com¬ 
pletion of the dequeue event that removed the value inserted by the former. The second 

condition states that if two enqueue events e and e' are ordered such that e -< c e' and the 

value inserted by e' is removed by some d!, then there must exist a dequeue event d removing 
what e has inserted and d' cannot complete before d starts. 

Let c be a complete history and Match be ordered for c. Let d±_ £ Deq(c) be a dequeue 
event returning NULL; that is, Val c (d ±) = NULL. Define Bad(c, d±) C Enq(c) as the smallest 
set consisting of all enqueue events e in c such that either if the matching dequeue d for e 
exists (i.e. Match(d) = e), then d is after d ±, or there is another e! in Bad(c,d±) which 
precedes either e or the matching dequeue event d of e. Formally, the definition is given 
inductively as follows: 

Bado(c , d±) = {e £ Enq(c) \ d± -< c e V Vd £ Deq(c). Matched) = e =>■ d± -< c d} 

Badi+i(c, d±) = {e £ Enq(c) \ 3e* £ Badi(c, d±). ei -< c e 

V 3d £ Deq(c ). Match(d) = e A e* -< c d} 


with Bad(c,d ±) = Ui^nBadi(c, d±). 
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Intuitively, the set Bad(c, d ±) contains all enqueue events after the completion of which 
d_ l cannot observe an empty queue. In other words, if e € Bad(c,d± ) and if e completes 
before d± does, then the state of the queue is guaranteed to be non-empty after e completes 
until the completion of d±. 

Definition 4.3 (Linearization Witness). An ordered mapping Match for c is a linearization 
witness if for any d £ Deq(c) with Val c (d) = NULL, we have Bad{c,d) D Before(c,d) = 0. 

In the proofs that follow, we sometimes use the following result to prove that a given 
ordered mapping is a linearization witness. 

Lemma 4.4. Let c be a complete history, Match be an ordered mapping for c and d± £ 
Deq(c) be such that Match(d±) = _L. Then, Bad(c,d ±) f! Before(c,d±) = 0 iff there exist 
subsets Dd ± C Deq(c) and C Enq(c ) such that ( Dd ± UEd ± )r\After(c,d ±) = 0, D^UE^ 
is closed under -< c , and Before(c,d±) fl Enq(c) C E^ ± C Match(D ( i ± ). 

Proof. 

(=>) Assume that Bad(c,d±) fl Before(c,d±) = 0. Set 

Ed ± = f {e € Enq(c ) | e ^ (After(c,d±) U Bad(c,d±))} 

D' = f {d' £ Deq(c) \ 3e £ E ( i l . Match(d') = e} 

D ( ] a = f D' U {d! £ Deq(c) \ Matched') = _L A 3a £ Ed ± U D'. d' ~< c a} 

We have to show that E^ and Dd ± satisfy the three constraints. 

• If e £ Ed l, then it cannot be in After(c,d±) by construction. If d £ Dj ± , then either d 

belongs to D' or it is an event that precedes another event in Ej ± U D'. If d £ D' , then 
by construction its matching e = Matched) cannot be in Bad(c,d±). This implies that 
d _l d, hence d ^ After (c, d±). If d ^ D' , then it is in and there is some d! such 

that d -< c d! and d± d! which imply that d± -f< c d, hence d ^ After(c , d±). 

• Let a 1 £ Ed ± U Dd ± and a -< c a'. We do case analysis on a. 

— If a = d £ Deq(c) with Matched) = _L, then by the construction of Dd ± , d £ Dd ± . 

— If a = d £ Deq{c ) with Matched) / _L, then if there is e £ Ed ± such that Match(d ) = e, 
then d £ Dd ± . Assume that Match(d) = e Ed ± . This can happen when either 
e £ After(c,d±) or e £ Bad(c,d±). If e is in After(c,d±), which by the assumption 
that Match is ordered implies that d must complete after e starts (e d must hold). 
This in turn implies that a', beginning after d completes must be in After(c, d±), which 
contradicts the assumption that a' £ Ed ± . If e is in Bad(c,d±), then there must exist 
e' £ Bad(c,d±) such that either e' -< c e or e! -< c d. Because Match is ordered, we 
have d e. Together with the assumption that d -< c a', these imply e' -< c a'. Now, 
if a' £ Enq(c), then a' £ Bad(c,d± ) which contradicts the assumption that a' £ Ed ± . 
If a' £ Deq(c) with Match(a') _L, that e' £ Bad(c,d± ) and e' -< c a' hold means 
that Match(a') £ Bad(c,d±) which in turn contradicts the assumption that a' £ Dj ± . 
Finally, if a' £ Deq(c) with Match(a') = _L, then because a' £ Dj ± there is some 
d" £ D' such that a' -< c d" which leads to the same contradiction as the previous case. 

— If a = e £ Enq(c), a' is either an enqueue event e' or there is a dequeue event d’ such that 

e -< c d! and Match(d') _L. For the latter claim, observe that either Match(a') / _L 

and we take d! = a' or Match(a') = _L and by definition of Dd ± there exists d! such 
that a! -< c d' which by transitivity of -< c implies e -< c d'. If e ^ E ( j ± , then either 
e £ Bad(c,d±) or e £ After(c,d±). If e £ Bad(c,d ±) and e X c e! hold, then e' must 
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also be in Bad(c, dj_) contradicting the assumption that e! G E c i ± . If e € Bad(c, d±) and 
e -< c d' hold, then Match(e'), which exists because Match is safe, must be in Bad(c , d±) 
which contradicts the assumption that d! G D ( / ± . If e G After(c,d±), then e -< c a' 
implies that a' G After (c, d±) contradicting the assumption that a' G Ej ± U Dj ± . 

Thus, we conclude that a G E ; i ± U D ^ x whenever a -< c a' for some a' G Ej ± U Dd ± . 

• Let e G Before(c, d±) D Enq(c). By the assumption that Bad(c,d± ) D Before(c,d±) = 0, 
e Bad{c , dj_). Thus, by construction e G E ( j ± , establishing Before{c , djJnFm^c) C Ed ± . 

Since e ^ Bad(c, d±), there exists d such that Matched) = e and d G .D', establishing 
Ed ± C Match(D') C Match(Dd ± ). 

(<^=) Assume that there exist Z4 X C Deq(c ) and Ed ± C Enq(c) such that all three conditions 
are satisfied. We now show that the sets Bad(c , dj_) and Before(c, d±) are disjoint. We show 
by induction that there is no index i such that Badi{c, d±) fl Before(c, dj_) 0. If i = 0, 
e G Bado(c, d±) implies that there does not exist d such that Match(d) = e and d± -f< c d. 
By the assumption that Dd ± and After(c,d± ) are disjoint, we have d £ Dd ± ■ But by the 
assumption that Enq(c) n Before(c, d±) C Ej i± , we must have e G Ed ± . This contradicts 
the assumption that Ej ± C Match(Dd ± ). 

Assume that for all indices less than or equal to k, for some k > 0, the claim holds: 
i < k implies that Badi(c, d±) and Before(c,d ±) are disjoint. Consider the index k + 1. 
Assume that there is e G Badk+i(c, dj_) D Before(c , d±). Then there exists G Bad^c , d±) 
such that either -< c e or there is d G Deq(c ) with Match(d) = e and -< c d. The former 
case, ej~ -< c e, is not possible since that would imply that e*, G Before(c,d±f) and contradict 
that Badk(c, dj_) n Before(c, dj_) = 0. By the assumption that Ej ± U Dd ± is closed under -< c , 
d G Dd ± and e*, -< c d, we must have e*, G Ed ± . By the assumption that Ej ± C Match(Dd ± ) 
and efc G Ej ± , there must be dy. G Dd ± such that Match(dk ) = e^. But if G Badk(c, d±) 
and <4 G Dd ± , then there must be e^-i G Badk~i(c , dj_) such that efc_i -< c e& or efc_i d 
Applying the same arguments as above, we arrive, after k iterations, to the conclusion that 
there must be some eo G Bado(c,d ±) which is also in Ed ± . But by definition, do with 
Match(do) = eo cannot be in Dj ± (if do exists, then do G After(c, d±)). This contradicts 
the assumption that Ed ± C Match(Dd 1 ). □ 

Definition 4 . 5 . Let c be a complete history with a linearization witness Match. Call two 
events a and a' in c overlapping if neither a -< c a' nor a' -< c a holds. We define a relation 
-C c ,Match over Enq(c). For two enqueue events ei and e 2 , we have ei “Cj Match e 2 ^ e i / e 2 
and one of the following holds: 

( 1 ) ei X c e 2 . 

(2) ei and e 2 are overlapping, there exists di such that Match(d \) = ei, but there does not 
exist d 2 such that Match{d 2 ) = e 2 . 

(3) ei and e 2 are overlapping, and there exist di and d 2 such that Match(d\) = e\, 
Match{d 2 ) = e 2 , and di -< c d 2 . 

(4) ei and e 2 are overlapping, there exist di, d 2 such that Match(d \) = ei, Match{d 2 ) = e 2 , 
and there exists d G Deq(c) such that Val c {d) = NULL, ei ^ Bad(c, d) and e 2 G Bad(c, d). 

Let <C c ,Mate/n called the enq-order, denote the transitive closure of -C* Match- We will drop 
the subscripts when the history c and its linearization witness either are clear from the 
context or do not matter. 

Lemma 4 . 6 . Let c be a complete history with linearization witness Match. Then, the 
induced enq-order <^ c ,Match is a partial order over Enq(c). 
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Proof. We have to show that there does not exist a sequence ei,..., ek+i of enqueue events 
such that ei <C X ej+i for i £ [l,fc] and e^+i = e\. The proof is done by induction on k, 
the number of enqueue events in the sequence. In the base case, we note that e\ <C X e\ is 
impossible by definition. Assume that there is no such sequence of length k or less. Consider 
the sequence ei,, e^+i. For convenience, we will use dj to denote the dequeue event in c 
such that Match(di) = ej. If no such dequeue event exists for e*, we will say that dj does 
not exist. We make the following observations about this sequence: 

(1) If dj, does not exist, then d ,;+1 cannot exist. Assume the contrary and that for some i, we 
have e* <C X ej+i, dj does not exist and dj+i exists. By the definition of <C X , ej -C 1 ej+i 
cannot be due to conditions 2-4, because they all require the existence of dj. Then, we 
must have e t -< c ej+i . On the other hand, since Match is a linearization witness for c, by 
condition 2 of ordered mapping, the existence of dj+i implies the existence of dj, which 
contradicts the assumption that dj does not exist. Because the sequence represents a 
cycle and -< c is a partial order, all dj exist. 

(2) There cannot be two distinct pairs of events (ej, e*+i) and (ej, e,j + \) such that ej -< c ej+i 
and ej ~< c e.j + \ for some i < j. If there were, then we would have ej -< c ej + \ or ej -< c ej + 1 . 
If ej -< c ej. |_i, then e\ <C X ... <C X ej <C X e J+ i <C X ... <C X ek+i hold and this sequence 
does not contain ej + i. If ej -< c ej+i, then e. l+ \ -C 1 ... <C X ej -C 1 ej + i hold and this 
sequence does not contain ej. Thus, both sequences have less than k + 1 events, which 
contradict the inductive hypothesis. 

We first show that none of the orderings in the cycle can be due to condition (4); i.e. there 
is no i such that ej <C X ej + i because there is some d £ Deq(c) such that ej ^ Bad(c,d) 
and ej+i G Bad(c,d). We assume the contrary and, without loss of generality, assume that 
ei <C X e 2 is due to condition (4). Then, there is d £ Deq(c) such that e\ ^ Bad(c,d) and 
e 2 G Bad(c,d). Observe that for all other enqueue events ej in the sequence, e 3 ^ Bad(c,d) 
as otherwise, e\ <C X e 3 which results in a shorter cycle contradicting the inductive hypothesis. 
In particular, e 3 ^ Bad(c,d), but this immediately leads to e% <S X e 2 - This implies that 
62163,62 is also a cycle. Thus, if any consecutive events in the cycle are ordered due to 
condition (4), then k < 2. Clearly e <C X e can never hold due to condition (4), leading to 
the conclusion that if e\ <C X e 2 is due to condition (4), then k = 2. 

Now, assume by contradiction that e\ <C X e 2 <C X e\ exists and there is d such that 
e\ Bad(c,d ) and e 2 G Bad(c,d). Since e\ ^ Bad(c,d), d\ exists. By the first observation 
above, d 2 also exists. So, e 2 <S X e\ cannot be due to condition ( 2 ). We do a case analysis 
on the possible justifications for e 2 <S X ei. 

• Assume that e 2 A c e\ (condition (1)). By the assumption that e 2 G Bad(c,d), we have 
e\ £ Bad(c,d), which contradicts the assumption that ei ^ Bad(c,d). 

• Assume that e 2 and e\ are overlapping and d -2 -< c d\ (condition (3)). Because e 2 G 
Bad(c,d), either d -< c d 2 or d -< c e 2 or there is an enqueue event e' £ Bad(c,d ) such that 
either e 1 -< c e 2 or e' -< c d 2 holds. If d X c d 2 holds, then by transitivity d -< c d\ also holds. 
If d -< c e 2 holds, then because d 2 A c e 2 cannot hold (Match is ordered), d -< c d\ must 
hold. If e' -< c e 2 holds, then because d 2 ^2 holds (due to Match being ordered) we 
must have e! -< c d\. Finally, if e' -< c d 2 holds, then by transitivity e! -< c d\ also holds. All 
four cases contradict the assumption that e\ £ Bad{c,d). 

• Assume that there exists d' £ Deq(c) such that Matched') = T, e 2 ^ Bad{c,d') and 
e\ £ Bad(c,d') (condition (4)). We do a case analysis on the possible justifications of 
e\ £ Bad{c,d!) and e 2 G Bad(c,d) holding: 
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— d! -< c ei, and d < c e 2. Then either d! -< c e2 or d -< c e\ holds. 

— d' -< c ei, and d -< c c?2- Then either d' < c c?2 or d -< c e\ holds. 

— d! -< c ei, and there is eb.d G Bad(c,d ) such that e^d -< c e2- Then either d! -< c e 2 or 
efe,d -< c ei holds. 

— d! < c ei, and there is eb.d G Bad(c,d ) such that -< c c?2- Then either d' -<I C d2 or 
efe,d -< c ei holds. 

— d' -< c di, and d -< c e2■ Then either d! -< c e2 or d -< c d\ holds. 

— d' -< c d \. and d -< c c?2- Then either d' -< c c?2 or d -< c d\ holds. 

— d! < c d\, and there is e b,d € Bad(c,d) such that -< c e2- Then either d' -<< c e2 or 
eb,d ~<c d\ holds. 

— d! -< c d\, and there is eb.d G Bad(c,d) such that eb.d ~<c <^2- Then either d' -< c d2 or 
eb,d -<c d\ holds. 

— There is eb.d' G Bad(c,d') such that e^' -< c ei, and d 4 C e 2. Then either e^/ -< c e2 or 
d -<I C ei holds. 

— There is e^/ G Bad(c,d') such that e^' -<I C ei, and d -< c d2- Then either e^' -<I C d2 or 
d -<I C ei holds. 

— There is e^' G Bad(c,d') such that e^/ -< c ei, and there is G Bad(c,d ) such that 

eb.d -<c e 2- Then either -< c e2 or 65.^ -< c e\ holds. 

— There is eb.d' G Bad(c,d') such that e^d' -< c ei, and there is G Bad(c,d ) such that 

eb.d -<c d 2 . Then either e b .d’ < c <^2 or e fe)rf -< c ei. 

— There is e^' G Bad(c , d') such that e^d' -<I C di, and d 4 C e 2. Then either eb.d’ -S c e 2 or 
d -<I C di holds. 

— There is G Bad(c, d!) such that eb.d’ -< c di, and d -< c d2- Then either e^/ -< c d2 or 
d -<I C di holds. 

— There is eb.d' G Bad(c,d') such that eb.d' -< c di, and there is G Bad(c,d ) such that 

eb.d -<c e2- Then either eb.d’ -S c e 2 or eb.d -< c di holds. 

— There is eb.d' G Bad(c,d') such that eb.d/ -< c di, and there is eb.d G Bad(c,d ) such that 
eb.d ~< c d-2■ Then either e b .d' < c d 2 or e b .d -< c di. 

In all cases the former implication contradicts e2 ^ Bad(c,d') and the latter implication 

contradicts e\ £ Bad(c.d). 

Thus, if ei, e2,..., efc + i is a cycle in -C 1 , none of the pairwise orderings can be due to 
condition ( 4 ). 

Now consider the case where all consecutive events are overlapping; that is, e t and ej + 1 
are overlapping for all i G [ 1 , A:]. Then, by the definition of -C 1 and the first observation, we 
must have di -< c d l+ \. But this would imply by the transitivity of -< c that d\ -< c dk +1 = di 
which is impossible due to -< c being a partial order. 

So, there must be exactly one pair e* and ej + i of events ordered by -< c . Without loss 
of generality assume that e\ -< c e2■ By the second observation, e2 is overlapping with all 
ej+i for i G [ 2 ,k\. In particular, e2 and ek+i = e± must be overlapping. That contradicts 
the assumption that e\ -< c &2- Thus no sequence of length k + 1 can have a cycle in the 
relation. □ 

The main result of this section is stated below. 

Theorem 4 . 7 . A set of histories C is linearizable with respect to queue iff every c G C has 
a completion c G Compile) that has a linearization witness. 
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Proof. 

(=>) If c £ C is linearizable with respect to queue, then there is a linearization s of c which 
is a legal queue behavior. By Theorem 13.101 s has a sequential witness // seq . The mapping 
H se q satisfies the conditions of a linearization witness since all -< c orderings are preserved 
in s. In particular, ^ seq is safe because conditions (i) to (iii) of sequential witness imply 
conditions (1) to (3) of safe mapping. It is ordered because 

• By condition (iv) of sequential witness, fi seq (d) = e implies e < s d and definition of 
linearizability implies that d -fi c e, which is condition ( 1 ) of ordered mapping, 

• Assume that there exist d',e',e such that e! = /j, seq (d') and e -< c e'. Then by definition 
of linearization, e -< s e'. By condition (v) of sequential witness, d = /U“q(e) exists and 
d -< s d!. By definition of linearization, this in turn implies that d' -f{ c d, which is condition 
of ( 2 ) of ordered mapping. 

Assume d = deq(NULL) £ Deq(c). Define the sets Dd = {d' £ Deq(s) \ d! -< s d}, Ed = {e £ 
Enq(s) | e d}. Observe that ( Dd U Ed) 0 After(d,c ) = 0 because for any a £ After(d, c), 
by definition we have d -< c a, which implies d -< s a, which in turn implies a ^ Dd U Ed- 
Assume there is e £ Before(d,c ) 0 Enq(c). Then by definition of linearization, e -< s d. By 
construction, Before(d,c ) 0 Enq(c) C Ed- Let i denote the position of d in s; i.e. s(i ) = d. 
Because s is legal, it has an obs-equivalent canonical behavior, s'. By Lemma [3781 s'(i) = d. 
By definition of canonical behavior, each enqueue event in s^l : i — 1) has a matching 
dequeue event in s^l : i — 1 ). Since s and s' are obs-equivalent, then each enqueue event in 
s(l : *—1) has a matching dequeue event in s(l : *— 1 ). Thus, E^ C Match(Dd), the inclusion 
being proper in case Dd contains a NULL-dequeue event (distinct from d since d Dj). Thus, 
Before(d,c ) 0 Enq(c) C Ed C Match(Dd). Since all conditions of linearization witness per 
Lem. l4~4l are satisfied for Dd and Ed , ^ S e q is a linearization witness. 

(-<=) Let c be a complete history with a linearization witness Match. Let < denote a total 
order extension of <C. That is, < is a total order over Enq(c) such that whenever e <C e', 
we have e < e'. Let e* denote the <-maximal enqueue event over <. That is, for any 
e £ Enq(c), we have e < e* whenever e/e*. 

In order to prove the if-direction (<^=), we will make use of < to construct a sequence s 
with sequential witness /i. We actually prove a stronger property, which also requires that 
if e < e' in c then e -< s e'. By Theorem 13.101 the result follows. 

The construction is given by induction on the number of (completed) events in c. In the 
base case, there are no events and e with empty mapping is the desired sequence. Assume 
that the claim holds for all complete concurrent histories with k events or less. Let c be a 
complete concurrent history with k + 1 events and Match be a linearization witness for c. 
We first choose an event. 

Call event a £ Enq(c ) U Deq{c) maximal (relative to <), if there is no event a' such that 
a -< c a' and one of the following holds: 

(1) a = e* £ Enq(c), there is no d* such that Match(d*) = e*. 

(2) a = d £ Deq(c) with Matched) ^ _L, there is no d' such that Matched) < Matched'). 

(3) a = d± £ Deq(c) with Match(d±) = _L, and Bad(c,d ±) = 0. 

Let c be a non-empty complete history and Match be its linearization witness. We first 
show that there is at least one event in c that is maximal relative to <. First, observe 
that if Enq(c ) = 0, then any d £ Deq(c) must return NULL; otherwise, Match cannot be 
safe. Then, any d such that no d’ £ Deq(c) with d -< c d' exists is maximal. Since -< c is a 
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partial-order, such d must exist. If conversely we assume that Enq{c ) d 0 and Deq(c) is 
empty, then e* is maximal. 

Assume that Enq(c ) and Deq(c ) are non-empty. If e* is not maximal, it must be because 
there is d* G Deq(c) such that Match(d*) = e*. Then, by definition of < and the assumption 
that e* is <-maximal, there cannot be d' G Deq(c ) such that d* -< c d' if Matched ') d _L. So, 
d* is not maximal only if there is d± G Deq(c), Match(d±) = _L and d* -< c dj_. Furthermore, 
the definition of -C 1 , that e* is <-maximal and d* exists imply that for all d G Enq(c), there 
is d' G Deq(c ) such that Matched') = d. In particular, this means that for d± G Deq(c ) such 
that no d' G Deq(c ) with d± -< c d' exists and d* -< c d± with Bad(c, d±) = 0, setting d± as a 
maximal element. Thus, the set of maximal events in any non-empty history is non-empty. 

Let A denote the set of maximal elements relative to <. If A contains a dequeue event 
d such that Match(d) = _L, then we choose d. Otherwise, if A contains a dequeue event d* 
such that Match(d*) / _L, then we choose d*. If neither condition holds, we choose e*. 

We now show that if c is a non-empty history with linearization witness Match , the his¬ 
tory c' obtained by removing the chosen event from c has Match ', which is Match restricted 
to the remaining events in (/, as a linearization witness. Before we do a case analysis on the 
type of the chosen event, we make two observations. If c' is obtained from c by removing 
an event a and a mapping is safe for c, then it is also safe for d when restricted to the 
Deq(d). Second, removing a from c does not change the relative ordering among the re¬ 
maining events. So b -< c d holds iff b -< c i d holds. In particular, if a G Deq(c) and a mapping 
is ordered for c, then it is ordered for d. 

We have three cases to consider for the chosen event: 

• The chosen event is d± with Match(d±) = _L. Let d' G Deq(c) be such that Match(d') = _L. 
Since Match(d ±) = _L, after removing d± we have Enq(d) = Enq(c ) and thus Bad(c, d') = 
Bad(d , d'). Additionally, Before(c,d') is the same as Before(d,d') when both are re¬ 
stricted to Enq(c ) = Enq(d). Then, we have 

Before(c , d') D Bad(c , d!) 

= Before(c,d') fl Bad(c,d') n Enq{c ) [Bad(c, d') C Enq(c)\ 

= Before(c , d') n Bad(c , d') fl Enq{d) {Enq(c ) = Enq(c ')] 

= Before(c , d') fl Bad(d , d') n Enq(d) [d± ^ Bad{c,d')\ 

= Before{c ', d') n Bad{d , d') D Enq(d) [Before{c 1 d !) n Enq(c ) = Before(d , d') fl Enq(c')] 

= Before(d , d') D Bad(d , d') [Bad(c ', d') C Enq(c')\ 

establishing that Before(c',d') fl Bad(d,d') = 0. Thus, Match' is a linearization witness 
for d. 

• The chosen event is d* G Deq(c). Observe that Matched*) is the <-maximal enqueue 
event e* relative to <. By the second observation above, Match' is ordered for d. We 
have to show that for any d± G Deq(c ), Match'(d±) = _L is justified; that is, Bad(d , d±) n 
Before(d,d±) = 0. By the assumption that Match is a linearization witness for c, we 
have Bad(c,d ±) fl Before(c, d ±) = 0. If dj_ -< c e*, then e* G Bad(d,d ±) by definition. If 
d± -< c d*, then e* G Bado(c,dj_) and e* G Bado(d,d±), so Bad(d,d±) = Bad(c,d±). 

Then, the interesting case is when e* £ Bad{c,d). First observe that Bad(c,d) ^ 0 iff 
e* G Bad(c , d). For the only-if (=>) direction, assume that there is some d G Bad(c , d). By 
the definition of <C 1 , if e* (j Bad(c,d) then e* <C X d contradicting the <-maximality of e*. 
The if (<=) direction is trivial. This implies that Bad(c,d) = 0 because e* ^ Bad(c,d±). 
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If there are several such NULL-returning dequeues, choose d± such that for any a £ Deq(c) 
with d _l -< c a implies Match(d) d _L. Intuitively, d± is the <-maximal among dequeue 
events returning NULL. 

Now since d* was chosen, we know that there must be at least one a such that dj_ -< c a, 
since otherwise d± would have been chosen. By the assumption about dj_, a ^ Deq(c) 
with Match(a) = _L. If a = e € Enq(c), then e € Bad(c , d±) contradicting the assumption 
that Bad(c,d ±) = 0. So a = d £ Deq(c ) with Matched) / _L. But then Match(a ), which 
must exist because Match is safe, is in Bad(c,d±), again contradicting the assumption 
that Badic ., dj_) = 0. So, by contradiction we conclude that there is no such d± for which 
Bad(c,d ±) = 0 and Bad(d,d±) / 0 hold. 

• The chosen event is e* £ Enq(d). By the assumption about the chosen event, d* does 
not exist, so Deq(c) = Deq(d) and Match' is safe because Match is safe. Because d* does 
not exist, if d± is such that Match(d±) = _L, then e* £ Bad(c,d±). Then, for every such 
d l, Badid , d±) C Bad(c,d±), which means that Bad(c,dj_) fl Before(c,dj_) = 0 implies 
Bad(c,d±) fl Before(d,d±). So, Match' is a linearization witness for d. 

Now, we know that Match' is a linearization witness for d which has exactly k events. 
By the inductive hypothesis, d is linearizable with respect to queue. That is, there is a 
linearization s' of c' which is a legal queue behavior. By Theorem 13.101 s' has a sequential 
witness fi' . We claim that s = s' ■ a, where a is the chosen element in c as described above, 
is a legal queue behavior. Additionally, we will also show that for any two enqueue events 
e and d both in Enq(c), e < d implies e -< s d. 

Assume that the chosen element was a = d± € Deq(c) such that Match(d ±) = _L. We 
set g = /j'[a 1], Observe that by the assumption that d± is a chosen element, we must 

have Bad(c,d ±) = 0. This implies that for all e £ Enq(c), there is d £ Deq(d) such that 
Match(d) = e; as otherwise, e would be in Bad(c,d±). Since all events of d are the same 
as the events of s', the sets {e £ Enq(c) \ e -< s d±} = Enq(c) and {d £ Deq(c) \ d -< s 
d l A n(d) -L} have the same cardinality. These along with the inductive hypothesis that 
fi' is a sequential witness for s' imply that all six conditions of a sequential witness are 
satisfied for fi and s. Because the relative ordering of events in Enq(c) in s' remains the 
same in s, e -< s > d implies e -< s d, and by induction hypothesis this can happen only when 
e < d. 

Assume that the chosen element was a = d* £ Deq(c ) such that Match(d*) = e*. We 
set fi = fi'[a i-A e*]. Because Match was safe for c, e* exists and fi is well-defined. By the 
inductive hypothesis, e* is in s' and hence e* -< s d*. Again by the inductive hypothesis, for 
any e € Enq(c), we have e -< s e*. Since d* is the last event in s, no event can follow d* in 
s. In particular, there is no d! £ Deq{d) such that d* -< s d!. These along with the inductive 
hypothesis imply that g is a sequential witness for s. Similar to the previous case, e -< s > d 
implies e -< s d and by inductive hypothesis this can happen only when e < d. 

Assume that the chosen element was a = e*. We take fi = fi'. Because e* is chosen, d* 
does not exist in c. Furthermore, since e* is the last event in s, no other event can follow e* 
in s. These observations along with the inductive hypothesis imply that g is a sequential 
witness for s. Observe also that e*, being the last element in s, also satisfies the condition 
that it should not precede any other enqueue event in s, satisfying the condition that e < d 
implies e d. □ 
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Necessary and Sufficient Conditions for Complete Histories. We now focus on 
complete histories, namely ones with no pending events. We observe that whether a history 
is not linearizable can always be determined by examining the dequeued values. Let c be a 
complete history. In order to simplify the technical presentation we assume that each value 
is enqueued at most onceJl The possible violations in c are: 

(VFresh): A dequeue event returns a value not previously inserted by any enqueue event. 
Formally, there exists a value x NULL such that deq(x) £ Deq(c ) and either enq(x) £ 
Enq(c) or deq(x) -< c enq(x). 

(VRepet): Two dequeue events return the value inserted by the same enqueue event. For¬ 
mally, there exist two dequeue events d, d! € Deq(c) such that Val c (d ) = Val c (d') / NULL. 
(VOrd): Two values are enqueued in a certain order, and a dequeue returns the later value 
before any dequeue of the earlier value starts. Formally, there exist values x , y such that 
enq (y) -< c enq(x), deq(x) £ Deq(c), and either deq(y) ^ Deq(c) or deq(x) -< c deq (y). 
(VWit): A dequeue event returning NULL even though the queue is never logically empty 
during the execution of the dequeue event. Formally, let c = Co • deq-(NULL) • c<f • 
deq r (NULL) -C 3 , where Co, C 3 represent subsequences of c. Then for any choice of ci and 
C 2 such that Q = ci • C 2 , there exists an enq(x) € Enq(c) completed in Co • deq^NULL) • ci 
and deq ?; (x) does not occur in Co • deq.(NULL) • ci. 

We have the following result which ties the above violation types to linearizable queues. 

Proposition 4.8. A complete history c is linearizable with respect to queue iff it has none 

of the VFresh, VRepet, VOrd, VWit violations. 

Proof. 

(=>) If c is linearizable with respect to queue, then by Theorem 14.71 c = c has a linearization 
witness Match. We show by contradiction that none of the four violations can happen in c. 

• Assume that c has VFresh. Then there exists a dequeue event d £ Deq(c ) such that 
Val c (d ) f NULL and either e = Match(d) does not exist or d -< c e = Matched). That 
e = Matched) does not exist is impossible because by the second condition of safe mapping, 
Matched) 7 ^ T and by the first condition of safe mapping Matched ) £ Enq(c). That 
d -< c e = Match holds is impossible because by the first condition of safe mapping, 
d 7 K c Match (d) = e. 

• Assume that c has VRepet. Then there exist d, d' € Deq(c) with Val c (d) = Val c {d') _L. 
This is impossible by the third condition of safe mapping. 

• Assume that c has VOrd. Then there exist e, e! £ Enq(c), d! £ Deq(c ) such that e -< c e! = 
Matched') and either d £ Deq(c) such that Match(d) = e does not exist or such a d exists 
and d! -< c d. Both possibilities contradict the second condition of ordered mapping. 

• Assume that c has VWit. Then c is of the form cq ■ inv(d± ) • • res(d±) ■ C 3 such that 

Match(d±) = _L, and for every possible partitioning of Cd = c\ ■ C 2 , there is an enqueue 
event e £ Enq(c p ) with c p = cq ■ inv(d±) ■ ci such that e is completed in c p and there is 
no dequeue event d, pending or completed, in c p such that Match(d) = e. First, observe 
that by choosing C 2 = e (resulting in c p = cq ■ inv(d± ) • Cd), we conclude that there is at 
least one enqueue event eo £ Enq(c p ) whose matching dequeue event do is not in Enq(c p )‘ 
that is, d_ l -< c do if do £ Deq(c). This implies that eo € Bad(c,d±). Because Match is a 
linearization witness for c, we must have Bad(c, d±) FI Before(c , d±) = 0. In other words, 

o 

In case there are multiple occurring values, this is akin to guessing the mapping Match-, it is enough 
that at least one guess satisfies the criteria (absence of violations). 
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all enqueue events e € Bad(c,d±) must not belong to Before(c,d±). This implies that 
if e G Bad(c,d±) then res(e) must happen after inv(d±). Let e G Bad(c,d± ) be chosen 
such that for any other e' G Bad(c,d±), res(e) occurs before res(e') in c. Let Cd = c\ ■ C2 
with C2 = res(e) ■ c' 2 ■ By the assumption that there is a VWit violation for d±, there must 
be an enqueue event e! in c p = cq ■ inv(d±) ■ c\ such that if there is d! G Deq(c ) with 
Matched') = e! , then d' is neither completed nor pending in c p . This implies that inv(d') 
if it exists must occur after res(e). Because e is not completed in c p (it is completed in 
c p ■ res(e)), e! / e. These two facts imply that either d! ^ Deq(c) or if d' G Deq(c ) then 
e -< c df holds. But this implies that e! G Bad(c,d±). This contradicts the assumption 
that res(e) is the first enqueue event in Bad(c,d±) to complete in c. Such an e does not 
exist implies that there is at least one enqueue event in Bad(c, d±) which is completed 
in Co, which implies that G Before(c, d±). Finally, this contradicts the assumption that 
Bad(c,d±) and Before(c,d±) are disjoint. 

(-4=) Assume that there exists a complete history c in which none of the violations happen. 
We will show that the mapping that pairs events enqueueing and dequeueing the same value 
is a linearization witness for c. 

Let D v = {deq(x) G Deq(c ) | x ^ NULL} denote the set of all non-NULL returning 
dequeue events of c. Similarly, let D n = Deq(c) \ D v denote the set of all NULL returning 
dequeue events of c. Let M v be the mapping from D v to Enq(c) such that M v (d ) = e iff 
Val c (d) = Val c (e). Let M n be such that all d G D n are mapped to _L. We claim that Match 


defined as 


Match(d) ^ j^ 4(d) 


if d G D v 
if d G D n 


is a linearization witness for c. 

First, observe that M v is a total mapping because c does not have VFresh. Furthermore, 
because c does not contain VRepet, Match is a safe mapping by construction. Match satisfies 
the first condition of an ordered mapping because c does not have VFresh. Match satisfies 
the second condition of an ordered mapping because c does not have VOrd. Thus, Match is 
also an ordered mapping. 

Let d _l G D n be a NULL-returning dequeue event in c. We have to show that Before(c, d±) 
and Bad(c,d±) are disjoint. Because c has no VWit violation, there must be a prefix 
c p = Co • inv(d± ) • c\ of c such that if e is an enqueue event is completed in c p then its 
matching dequeue event d (i.e. Matched) = e) is either pending or completed in c p . In 
other words, if res(e ) occurs in c p , then so does inv(d). Let ej G Bad(c,d±) be such that 
ej G Badj(c,d± ), for any e*, G Bad(c,d± ) we have j < k, and ej is completed in c p . If there 
is no such ej, that is, if Bad(c,d± ) is empty, then we are done. Otherwise, observe that 
j / 0 because by the absence of VWit, there is dj such that Match(dj) = ej and d± -/< dj ; 
in particular, inv(dj) occurs in c p . But j > 0 implies that there is ej- 1 G Badj-\(c, d±) 
such that either ej- 1 -< c ej or ej-\ -< c dj. Both cases imply that ej-\ must be completed 
in c p , contradicting the assumption that j was minimal. Thus, there are no enqueue events 
in Bad(c,d± ) which are completed in c p . Since Before(c,d± ) is contained in the set of 
completed events of c p , we conclude that Before(c,d±) and Bad(c,dj_) are disjoint. 

This concludes the proof that Match is a linearization witness for c. □ 


We remark that none of the violations mentions the possibility of an element inserted 
by an enqueue being lost forever. This is intentional, as such histories are ruled out by the 
following proposition. 
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Proposition 4 . 9 . Given an infinite sequence of complete histories ci, C2,... not containing 
any of the violations above, where for every i, C{ is a prefix of fij+i, and the number of 
dequeue events in Ci is less than that of Ci+\, if c\ contains an enqueue event enq(x), then 
exists some Cj containing deq(x). 

Proof. We prove this by contradiction. If there is no deq(x) event, then enq(x) is always 
in the queue, and so, from the absence of VWit violations, none of the dequeue events 
following enq(x) can return NULL. Also, since dequeue events cannot return values that 
were not previously enqueued VFresh and cannot return the same value multiple times 
VRepet, and since the number of dequeue events is increasing, then there must also be new 
enqueue events. However, only finitely many of those are not preceded by enq(x) which 
completes in ci. This means that eventually one dequeue event has to return an element 
inserted by enq(y) such that enq(x) -< c . enq(y), which is VOrd. □ 

For checking purposes, we find it useful to re-state the third violation as the following 
equivalent proof obligation. 

(POrd): For any enqueue events ei and e 2 with ei -4 C e 2 and Val c (e 1 ) 7 ^ Val c (e 2 ), a dequeue 
event c ?2 cannot return Val c (e 2 ) if Val c (e 1 ) is not removed in c or is removed by d\ with 

^2 -<c d\ . 

Thus, to check this property, it suffices to come up with an overapproximation of all those 
executions satisfying the premise of POrd, and prove that such executions cannot end with 
a dequeue event (in the sense that no other method is preceded by that dequeue event) 
returning the value of e 2 - 

Necessary and Sufficient Conditions for Purely-Blocking Queues. There is a sub¬ 
tle complication in the statement of Theorem 14.71 The witness mapping is chosen relative 
to some completion of the concurrent history under consideration. However, because im¬ 
plementations may become blocked, such completions may actually never be reached. This 
means that one cannot reason about the correctness of a queue implementation by consid¬ 
ering only the reachable states of the implementation. What we would ideally like to do is 
to claim that if the implementation violates linearizability, then there is a finite complete 
induced history of the implementation which has no witness. In other words, if the im¬ 
plementation contains an incomplete execution trace whose induced (incomplete) history 
has no witness, then that execution trace is the prefix of a complete execution trace of the 
implementation. 

Let C be the set of all induced histories of a library implementation. We call the library 
implementation completable iff for every history c £ C, we have Compile) DC ^ 0. For 
computable implementations, it suffices to consider only complete execution traces. 

Theorem 4 . 10 . A completable queue implementation is linearizable iff all its complete 
histories have none of the VFresh, VRepet, VOrd and VWit violations. 

Proof. 

(=>) If some complete history has a violation, by Prop. 14.81 it has no linearization, contra¬ 
dicting the assumption that the implementation is linearizable. 

( 4 =) Consider an arbitrary induced history c of the implementation. As the implementation 
is completable, there exists a completion c £ Compile) that is a valid induced history of 
the implementation. From our assumptions, c cannot have a violation, and so by Prop. [4781 
c has a linearization, and therefore so does c. □ 
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Since it may not be obvious how to easily prove that an implementation is completable, 
we introduce the stronger notion of purely-blocking implementations, that is straightforward 
to check. We say that an implementation is purely-blocking when at any reachable state, 
any pending method, if run in isolation will terminate or its entire execution does not 
modify the global state. Formally, let t = tq ■ (t : enter (rn)) ■ t\ be an execution trace 
of the implementation in which m executed by t is pending, i.e. (t : exit(m )) does not 
occur in t\. The pending method m is called pure after r if for any sequence r e in which 
no action of m by t occurs and any sequence r m in which only actions of m by t occur, 
t ■ r e is an execution trace of the implementation iff r ■ T m ■ r e is an execution trace of the 
implementation. The execution trace r is called obstruction-free for m if there is another 
execution trace t' = t ■ T2 ■ (t : exit(m)) of the implementation such that all actions in 72 
belong to rn executed by t. Then, the implementation is purely-blocking if for each execution 
trace r of the implementation and pending method m in r, either t is obstruction-free for 
m or m is pure after r. 

Proposition 4 . 11 . Every purely-blocking implementation is completable. 

Proof. Let r be an execution trace of a purely-blocking implementation. We fix a total order 
of pending methods, and consider them in that order. For a pending method m executed 
by t, if running it in isolation terminates, then extend t only with actions executed by t 
until (t : exit(m)) occurs. Otherwise, the execution of m does not modify any global state 
and so all actions executed by t beginning with the last occurrence of ( t : enter(m)) can be 
removed from the execution trace without affecting its realizability. □ 

We remark that our new notion of purely-blocking is a strictly weaker requirement 
than the standard non-blocking notions: obstruction-freedom , which requires all pending 
methods to terminate when run in isolation, as well as the stronger notions of lock-freedom 
and wait-freedom. (See [9] for an in depth exposition of these three notions.) 

5. Manually Verifying the Herlihy-Wing Queue 

Let us return to the HW queue presented in tJT] and prove its correctness manually following 
our aspect-oriented approach. 

First, observe that HW queue is purely-blocking: enq() always terminates, and deq() 
can update the global state only by reading x 7 ^ NULL at E 2 , in which case it immediately 
terminates. So from Prop. I4TI1 and Theorem 14.101 it suffices to show that it does not have 
any of the four violations. The last one, VWit, is trivial as the HW deq() never returns 
NULL. So, we are left with three violations whose absence we have to verify: VFresh, VRepet, 
and VOrd. 

Intuitively, there are no VFresh violations because deq() can return only a value that 
has been stored inside the q.items array. The only assignments to q.items are E\ and Z?2 : 
the former can only happen by an enq(x), which puts x into the array; the latter assigns 

NULL. 

Likewise, there are no VRepet violations because whenever in an arbitrary execution 
trace two calls to deq() return the same x, then at least twice there was an element of the 
q.items array holding the value x and was updated to NULL by the SWAP instruction at Z?2- 
Therefore, at least two assignments of the form q.items[f\ <— x happened; i.e. there were at 
least two enq(x) events in the induced history. 
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We move on to the more challenging third condition, VOrd. We actually consider its 
equivalent reformulation, POrd. Fix a value V2 and consider an execution trace t where 
every method call enqueuing V 2 is preceded by some method call enqueuing some different 
value v\ and there are no deq() calls returning v\ (there may be arbitrarily many concurrent 
enq() and deq() calls enqueuing or dequeuing other values). The goal is to show that in 
this execution trace, no deq() return V 2 - 

Let us suppose there is a dequeue d returning V 2 , and try to derive a contradiction. For 
d to return V 2 , it must have read range > 12 such that q.itemsfo] = V 2 ■ So, d must have 
read q.back at D\ after enq(ti 2 ) incremented it at E\. 

Since, enq(tq) -<h.(r) enq(u2), it follows that enq(t>2) will have read a larger value of 
q.back at E\ than enq(wi). So, in particular, once enq(wi) finishes, the following assertion 
will hold: 

< q.back. q.items[i\] = v\ A (Vj < i±. q.items[j ] 7 ^ V 2 ) (*) 

Note that since, by assumption, v\ can never be dequeued, and any later enq(r>2) can only 
affect the q.items array at indexes larger than i \, ( 0 ) is an invariant. 

Given this invariant, however, it is impossible for d to return r> 2 , as in its loop it will 
necessarily first have encountered v\. Formally, to show this we use the following loop 
invariant at the beginning of for loop 

3 *1. i < i\ < q.back A q.items[i\] = v\ A (Vj < i\. q.items[j] ^ V 2 ) 

and © for the while loop. With these invariants, it is immediate that the swap at line D 2 
cannot read V 2 - 

6. Checking the Conditions by Proving Program Divergence 

In this section, we reduce proving the absence of VFresh, VRepet and VOrd violations to 
proving that certain programs always diverge. Towards the end of the section, we also 
discuss how the absence of VWit violations might be automatically checked for queue im¬ 
plementations whose deq method may return NULL. 

Our proof technique relies heavily on instrumenting the deq() function with a prophecy 
variable ‘guessing’ the value that will be returned when calling it. That is, we construct a 
method, deq(u), such that the set of execution traces of U^eNulNULL} heq(x) is equal to the 
set of execution traces of deq(), where U stands for (demonic) non-deterministic choice: the 
set of traces of TUp is the union of the sets of traces of T and T'. A simple construction is 
to define deq(u) to behave exactly as deq() except that when deq() is about to return a value 
other than v, we make deq(u) diverge. That is, we prepend an assume(x = v); statement 
to every return x statement in deq(). In Section [71 we describe a better construction. 

Proving Absence of VFresh Violations. Generally, it is completely straightforward to 
prove the absence of VFresh violations. For example, it is sufficient for the queue implemen¬ 
tation to be data independent [ 22 ]. 

This is because a data independent implementation cannot produce values ‘out of thin 
air.’ In other words, if a dequeue returns a value, it must have read that value from memory, 
and the only way for a value to get into memory is for an enqueue to be invoked with that 
value passed as an argument. Therefore, no VFresh violations can occur in data independent 
implementations. 
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Proving Absence of VRepet Violations. To prove the absence of VRepet violations, we 
use the following theorem. 

Theorem 6.1. A completable queue implementation has no VRepet violations iff for all 
values v and all n, m,k £ N such that 0 < n < m, the program 

n times m times k times 

Prg(v,n,m,k ) '= (enq(u)|| ... ||enq(u) || deq(u)|| ... ||deq(u) || C || ... || C) 
has no execution trace in which more than n deq(u) threads terminate, where 

C = f |_| enq(x) LI |_| deq(x). 

X^V X^V 

Proof. (=>) We argue by contradiction. Consider an execution trace r of Prg{v,n,m, k) 
where at least n + 1 of the deq(u) threads terminate. The induced history /i(r) cannot 
have a safe matching because to satisfy condition (1) of Definition 14. 11 each deq(u) must be 
matched by some enq(u), and from the pigeonhole principle multiple deq(u) will have to be 
matched with the same enq(c), thereby violating condition (3) of the Definition. 

(<£=) Again, we argue by contradiction. Assume the queue implementation has an 
execution trace t such that h(r) has a VRepet violation. For each value v, let n v be 
the number of invoked enq(w) operations in r and m v be the number of invoked deq(w) 
operations. Then, since there is a VRepet violation, for some v there are at least n v + 1 
completed deq(w) operations in r. Finally, observe that r can be generated by a run of 
the program Prg(v,n v ,m v ,k) (for some k ) in which at least n v + 1 of the deq(u) threads 
terminate. □ 

In case the queue implementation is data independent [22], we can simplify the VRepet 
check further. We say that a history is differentiated, if all the input arguments to invoca¬ 
tions of the library’s methods are pairwise different. Given a renaming function on data 
values, / : T> —> V, we write /(c) for applying the function to all the data values in the 
history c. An implementation is data independent, if the set of histories it generates, H, 
satisfies two properties: (1) for every c € H, /(c) € H; and (2) for every c € H, there 
exists a differentiated history c' £ H such that c = f(c'). To ensure data independence, it 
suffices to check that the implementation never performs any operations (such as testing 
for equality) on the value domain. 

For data-independent programs, we can reduce reasoning about any number (say n 
and m where m > n) of enq(u) and deq(u) threads to a single enq(u) and multiple deq(w) 
threads. To see why a data independence condition is necessary, consider the following 
incorrect enq(u) and deq() implementations: 

def 

enq(u) = atomic (if v € Q then Q := Q-v-v else Q := Q-v ) 

deq() atomic (match Q with e — > block | v ■ Q' —> Q := Q’\ return u) 

Observe that for all m > 1, the program Prg(v, l,m,0) never terminates whereas the pro¬ 
gram Prg{v, 2,3,0) has a terminating execution: the serial execution where both enqueues 
take place before all the dequeues. 

Theorem 6.2. A data-independent completable queue implementation has no VRepet vio¬ 
lations iff for all values v, all m > 1 and all k € N, the program Prg(v, 1 ,m) (as defined in 
Theorem E2P has no execution in which more than one deq(u) threads terminate. 
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Proof. By Theorem 16.11 it suffices to show that if for all v, m and k, Prg(v,l,m,k ) has 
no execution trace with more than one terminating deq(u), then for all v, n, m and k, no 
execution trace of the program Prg(v,n,m,k ) can have more than n terminating deq(u) 
threads. Now, as enq and deq do not perform any value-dependent operations, we can 
replace the v being enqueued by distinct fresh V{ values. Doing so will naturally affect 
the return values of the dequeue operations that were returning v, but because of data 
independence, nothing else. Hence, the program 

n threads m threads k times 

s ^ \ / ^ \ /■ ^ \ 

enq(ui) || ... || enq(u re ) || deq(ri) || ... || deq(r m ) || C || ... || C 

must have an execution trace where at least n + 1 of the deq(rj) threads terminate with 
ri € {ui,..., v n } for 0 < i < m. So, by the pigeonhole principle, there exists some value 
that gets dequeued multiple times, say m'. This, however, contradicts our assumption that 
Prg(vi, 1 ,m', —) has at most one terminating deq(uj) thread. □ 


Proving Absence of VOrd Violations. We move on to the POrd property, which as we 
have seen in the manual proof of the HW queue, is often more complicated to prove. It 
turns out that our automated technique for proving POrd also establishes absence of VFresh 
violations as a side-effect. We reduce the problem of proving absence of VFresh and VOrd 
violations to the problem of checking non-termination of non-deterministic programs with an 
unbounded number of threads. The reduction exploits the instrumented deq(u) definition: 
deq() cannot return a result x in an execution precisely if deq(x) cannot terminate in that 
same execution. 

Theorem 6 . 3 . A completable queue implementation has no VFresh and VOrd violations iff 
for all k G N and for all v\ and V 2 such that v\ V 2 , the deq(u 2 ) thread does not terminate 
in the program 

k threads 

Prg(k ) = f b false; (deq(r> 2 ) || (enq(ui); b •<— true) || C || ... || C) 

where 

C = (assume(6); enq(u 2 )) U U enq(x) U |_| deq(x). 

X^V2 X^Vl 

Proof. (=>) We argue by contradiction. Consider an execution trace r of Prg(k) in which 
the deq(u 2 ) thread terminates. If enq(v 2 ) is not invoked in r, then as there are no VFresh 
violations, we know that no deq() in r can return V 2 , contradicting our assumption that 
deq(u 2 ) terminates in r. Otherwise, if enq(w 2 ) is invoked in r, then at some earlier point 
assume(6) was executed, and since initially b was set to false, this means that b true was 
executed and therefore enq(ui) -<h(r) en< l(^ 2 )- Consequently, from POrd. if there is deq() in 
r returns V 2 , there must be a deq() in r that can be completed to return v \, contradicting 
our assumption that deq(u 2 ) terminates in r. 

(<i=) We have two properties to prove. For VFresh, it suffices to consider the restricted 
parallel context that never enqueues V 2 - In this restricted context, deq(u 2 ) does not termi¬ 
nate, and so deq() cannot return V 2 - For VOrd, consider an execution trace in which every 
enq(u 2 ) happens after some enqueue of a different value, say enq(ui), and in which there 
is no deq(ui). Such an execution trace can easily be produced by the unbounded parallel 
composition of C, and so deq(t> 2 ) also does not terminate, as required. □ 
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Showing Absence of VWit Violations. Here, we have to show that any dequeue event 
cannot return NULL if it never goes through a state where the queue could be logically empty. 
This in turn means that we have to express non-emptiness using only the actions of the 
history (and not referring to the linearization point or the gluing invariant which relates the 
concrete states of the implementation to the abstract states of the queue). For the following 
let us fix a (complete) concurrent history c and a dequeue of interest d± which returns NULL 
and does not precede any other event in c. 

Let d be some prefix of c and let e E Enq{d ) be a completed enqueue event in d. We will 
call e alive after d if there is a matching dequeue event d in Deq(c), i.e. d = deq (Val c (e)), 
then d is neither pending nor completed in d. In other words, e is alive after d if its 
matching dequeue d, if it exists, is not invoked in d. 

For the following, let di denote the dequeue event which removes the element inserted 
by the enqueue event e$; that is, di = deq( Val c (ei)). A sequence eoei ... e n of enqueue 
events in Enq(c) is covering for d± in c if the following holds: 

• eo is alive at d where d is the maximal prefix of c in which inv(d±) does not occur. 

• For all i E [l,n], ei starts before d± completes. 

• For all i E [1 , n], we have ei -< c di- 

• e n is alive at c. 

Note that all di must exist by the third condition, with the only exception of d n , which 
does not exist (the last condition). Then, the sequence is covering for d± if do does not 
start before d± starts, and every enqueue event e* completes before the dequeue event di -i 
starts. Intuitively, this means that at every state visited during the execution of d±, the 
queue contains at least one element. 

The property corresponding to the last violation (VWit) then becomes the following: 
(PWit): A dequeue event d cannot return NULL if there is a covering for d. 

Lemma 6.4. A (complete) concurrent history c has VWit iff it does not satisfy PWit. 

Proof. (=>) Let c have VWit. By Prop. H~8l there is d± E Deq(c) such that Val c (d±) = NULL 
and Bad(c, d±) 0 Before(c, d±) 0 . We construct a covering sequence eo ... e n for d± such 

that for all 0 < * < n the response of e* occurs before the response of ej+i, if ji and ji + \ are 
minimal indices for which e% E Bad Jt (c, d±) and e*+i E Badj i+1 (c, d±) hold, then jj + i < ji, 
and e n E Bado(c,d±), and if e E Badk(c, d±) with k < ji+i, then e -/< c di. 

(Base): By the assumption there is an enqueue event in Bad(c, dj_)r 1 Before(c , d±). Set eo 
an enqueue event in Badj 0 (c, d±) such that for any other enqueue event d E Badffc, djjfl 
Before(c, d±), we have jo < k. 

(Inductive): Let e* be in Badj t (c, d±) with ji > 0. Let E' be the set of all d E Bad(c, d±) 
such that either d -< c e* or d -< c di , where di is the matching dequeue event for e*. 
Observe that E' is non-empty. Choose ej+i E E' to be an enqueue event with minimal 
index in E'. That is, if is the smallest index for which ej+i E Badj i+1 (c,d ±) holds, 
then for any d E E', d E Badffcff j_) implies j t +\ < k. Observe that j l+ \ < ji. This 
implies that by construction it cannot be the case that e.i + \ -< c di-± since it would 
contradict the assumption that was chosen as an enqueue event with minimal index 
among those that precede di- 1 . But again by construction we have ej A c which 
implies that the response event of ej+i occurs after the response event of e*. This also 
means that because ei + \ -fi c ej, we must have e,; + i -< c di. 
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procedure deq(v : val ) 
while true do 

(range G- q.back — l) 
for i = 0 to range do 

/ lx <— q.items[i \; \ 

( assume(x = dAi / NULL); 
\q.items[i] G- NULL / 

^return x 




/x G- q.items[i]\ \ 
U / assume(x = NULL); \ 
\q.items[i} G- NULL / 


Figure 2: The HW dequeue method instrumented with the prophecy variable v guessing its 
return value, where U stands for non-deterministic choice. 


Since the sequence of indices j t is strictly decreasing, to show that the construction termi¬ 
nates with j n = 0, we only have to show that there is e n G Bado(c, d±) completed before d± 
is completed; i.e. the response of e n occurs before the response of d±_ in c. By the definition 
of VWit, taking c p = cq ■ inv(d±) ■ Cd, we know that there must be at least one enqueue 
event e in c p such that e is completed in c p and its matching dequeue is neither pending 
nor completed in c p . But this immediately implies that e G Bado(c , d±) and e is completed 
before d± is completed. 

(<=) Let eo • • • e n be a covering sequence for d±. Then, e n G Bad(c,d±) because d n 
if it exists is preceded by dj_, i.e. d± -< c d n . Furthermore, for every i G [1 , n], since we 
have e* -< c i, all e* G Bad(c, d±). Finally, eo G Before(c,dj_). Thus, Bad(c,d± ) and 
Before(c,d± ) are not disjoint if there is a covering for d±. By Prop. 14.81 this implies the 
existence of VWit. □ 

We will actually restate the same property in a simpler way by making the following obser¬ 
vation. 

Proposition 6.5. There is a covering for d± in c iff at every prefix d of c such that d± is 
pending in d, there is at least one alive enqueue event. 

Then, we can alternatively state PWit as follows: 

(PWit 7 ): A dequeue event d cannot return NULL if for every prefix d 
there exists an alive enqueue event. 

Note that POrd can also be stated in terms of alive enqueue events. 

(POrd'): For any enqueue events ei and e 2 with ei A c e 2 and Val c (e 1 ) 
event cannot return Val c (e 2 ) if e\ is alive at c. 

7. Automation within Cave 

To automate the linearizability proof of the HW queue, we have mildly adapted the im¬ 
plementation of Cave m, a sound but incomplete thread-modular concurrent program 
verifier that can handle dynamically allocated linked list data structures and fine-grained 
concurrency. The tool takes as its input a program consisting of some initialization code and 
a number of concurrent methods, which are all executed in parallel an unbounded number 
of times each. When successful, it produces a proof in RGSep that the program has no 
memory errors and none of its assertions are violated at runtime. Internally, it performs 


at which d is pending 


7 ^ Val c (e 2 ), a dequeue 




28 


S. CHAKRABORTY, T. A. HENZINGER, A. SEZGIN, AND V. VAFEIADIS 


RGSep action inference m with a rich shape-value abstract domain [18] that can remember 
invariants indicating that value v\ is inside a linked list. Cave also has a way of proving 
linearizability by a brute-force search for linearization points (see [19] for details), but this 
is not applicable to the HW queue and therefore irrelevant for our purposes. 

Overview of Action Inference. In brief, Cave’s action inference algorithm first deter¬ 
mines the part of the heap-allocated memory that is private to a thread and the part that 
is shared. The main heuristic employed in this decision is that newly allocated memory 
cells are deemed to be private until they become reachable from some global variable, from 
which point onwards they are deemed shared. 

Next, the algorithm computes a binary relation R on program states overapproximating 
the effects of all atomic statements of the program to the shared part of the heap. Syntac¬ 
tically, it represents R as the union of a set of more primitive binary relations, which are 
called actions. Moreover, it remembers which atomic program statements correspond to 
which actions of the set. Thus, for example, if we want to compute an overapproximation 
of a program C in a parallel context, C'. we can run action inference on C'||C' / and from the 
total set of actions return only those corresponding to C. 

As part of this overapproximation, any information about the program’s control flow is 
lost except when the program explicitly records it in some global variable. This property 
is common to most thread-modular reasoning techniques, and is necessary for scalability. 
Thus, for instance, the programs C , C*, and C\\C generate the same set of actions. 

In the process of computing the set of actions, Cave proves that the program is memory 
safe and does not violate any assertions in it. To do so, it constructs a proof in RGSep, 
which is an adaptation of Jones’ rely-guarantee method suitable for pointer-manipulating 
programs mm- To construct these proofs, it calculates via abstract interpretation an 
invariant that holds after every atomic program statement. These invariants describe the 
shapes of the heap allocated data structures (e.g., that there is a linked list from x to y 
via the field next), and some very simple facts about the values stored in them (e.g., that 
the sequences of values stored in two list segments are equal, or that the sequence of values 
stored in one list segment is sorted). 

Finally, we note that action inference is incremental. Typically, action inference is run 
starting with an initial empty set of actions, to which set it adds any new actions it generates 
until a fixpoint is reached. When, however, we want to verify C71|(U' and we already know a 
sound abstraction of C (under the assumption that C' can be run in parallel), it suffices to 
perform action inference only on C' but starting with the set of actions of C' as the initial 
set of actions. To this set, action inference will add any further actions C produces. 

Summary of Changes. The modifications we had to perform to Cave were: 

(1) To add code that instruments deq() methods with a prophecy argument guessing its 
return value, thereby generating deq(u); 

(2) To add some glue code that constructs the verification conditions of Theorems 16.21 
and 16.31 and runs the underlying prover to verify them; 

(3) To improve the abstraction function so that it can remember properties of the form 
V 2 ^ X, which are needed to express the 0 invariant of the proof in Section [5] and 

(4) When checking the absence of VRepet violations, to instrument the inferred actions so 
as to work around the fact that action inference abstracts over control flow information. 
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The first two changes are clearly tool-independent, the third item is very CAVE-specific, 
whereas the fourth item is fairly generic. The problem that we are working around here 
is common to almost all thread-modular verification approaches, and our instrumentation 
should work for other tools as well. To use a different tool from Cave, the tool must be 
able to express invariants such as the aforementioned Q invariant. 

As Cave does not support arrays (it only supports linked lists), we gave the tool a 
linked-list version of the HW queue, for which it successfully verified that there are no 
VFresh, VRepet, and VOrd violations. (As the HW deques never return NULL, the algorithm 
also trivially has no VWit violations.) 

Prophetic Instrumentation of Dequeues. In order to be able to use the theorems in 
the previous section, we must first construct the method deq(u) that records the result of 
the deq() function in its arguments which acts like a prophecy variable. In essence, the 
deq(u) we construct must be such that the set of traces of UxgNu{null} deq(x) is equal to 
the set of traces of deq(), where U stands for non-deterministic choice. Figure [2] shows the 
resulting automatically-generated instrumented definition of deq(v) for the HW queue. 

Our implementation of the instrumentation performs a sequence of simple rewrites, each 
of which does not affect the set of traces produced: 

return E assume(u = E)\ return E 
if B then C else C' (assume(H); C) U (assume(-iH); C') 

C\ assume(H) -w assume(H); C provided fv(B) C Locals \ writes(C) 

C- (C 1 UC 2 )^(C-C 1 )U(C-,C 2 ) 

(C\ u Co); C <—> (Ci\C) u (C 2 \C) 

In general, the goal of applying these rewrite rules is to bring the introduced assume(u = E) 
statements as early as possible without unduly duplicating code. 

Instrumentation for Checking Absence of VRepet Violations. Observe that the HW 
queue implementation is data independent as the operations on the shared locations in 
the enq and deq methods do not depend on the value of argument. Therefore, using 
Theorem 16.21 we have to prove that in the context where only one enq(u) can happen in 
parallel, deq(u) cannot terminate if another deq(w) has terminated. 

One slight complication is that we cannot use RGSep action inference 02! directly 
to prove this property because we have to keep track of the exact number of occurences 
of particular shared memory operation (such as the enqueues of v). In rely-guarantee, 
operations on shared variables are abstracted by actions , which typically do not contain 
any control flow within them. Hence after the initial action generation, we have to augment 
the shared state and the actions with auxiliary variables that (a) record the termination 
of parallel deq(u) and (b) ensure that only one parallel enq(u) call is accounted for. Our 
implementation therefore proceeds as follows: 

(1) It infers an initial set of RGSep actions, R, by performing symbolic execution of the 
enq and deq methods, and refine this set of actions to record information about the 
arguments of enq() and the result of the deq() functions wherever possible. Let R enq 
be the actions generated by enq method and i? d eq be those generated by deq. 
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(2) For each action that is executed at most once by an enq(w) invocation, it generates a 
fresh auxiliary variable, e*, and records that e* changes from 0 to 1 by performing that 
action. Formally, we define: 

def 

E — {(£, A) £ R enq | l occurs at most once on every path through enq} 

R' d = {(l, A A e t = 0 A e' t = 1) | (£, A) € E} U (R enq \ E ). 

writing eg and for the freshly generated variables in the action’s pre- and post-states. 
(The purpose of this instrumentation is to ensure that the E actions will not interfere 
more than once with deq(c) below.) 

(3) Record each action that must be performed by a completed deq(u) event using a fresh 
auxiliary variable, R. Formally, 

def 

D = £ Rdeq | ^ must occur on every path through deq} 

R" = f {(£, A A 4 = 1) I (£, A) € D} U (Rdeq \ D). 

where d ^ are the freshly generated variables in the action’s post-state. (The purpose of 
this instrumentation is to be able to detect whether a deq operation has terminated.) 

(4) Running action inference with the following initial set of actions (the rely condition) 

R'[v/arg] U R"[v/res] U |^j (i? e nqK / arg] U R de q[v'/res}), 

v'^v 

verify the Hoare triple 


{ei = ... = e n = d\ = ... = d m = 0 } deq(u) {zR d t = 0} . 

The postcondition ensures that no other deq(u) has terminated, because if it had, it 
must have set each di = 1 . 


8. Related Work 

Linearizability was first introduced by Herlihy and Wing m, who also presented the HW 
queue as an example whose linearizability cannot be proved by a simple forward simulation 
where each method performs its effects instantaneously at some point during its execution. 
The problem is, as we have seen, that neither of E\ or Ei can be given as the (unique) 
linearization point of enq events, because the way in which two concurrent enqueues are 
ordered may depend on not-yet-completed concurrent deq events. In other words, one can¬ 
not simply define a mapping from the concrete HW queue states to the queue specification 
states. Nevertheless, Herlihy and Wing do not dismiss the linearization point technique 
completely, as we do, but instead construct a proof where they map concrete states to 
non-empty sets of specification states. 

This mapping of concrete states to non-empty sets of abstract states is closely related 
to the method of backward simulations , employed by a number of manual proof efforts [3l 
El HH, and which Schellhorn et al. m recently showed to be a complete proof method for 
verifying linearizability. Similar to forward simulation proofs, backward simulation proofs, 
are monolithic in the sense that they prove linearizability directly by one big proof. Sadly, 
they are also not very intuitive and as a result often difficult to come up with. For instance, 
although the definition of their backward simulation relation for the HW queue is four lines 
long, Schellhorn et al. m devote two full pages to explain it. 
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As a result, most work on automatically verifying linearizability (e. g . [a usual HE]) 
and some manual verification efforts (e.g., mm) have relied on the simpler technique of 
forward simulations, even though it is known to be incomplete. The programmer is typically 
required to annotate each method with its linearization points and then the verifier uses 
some kind of shape analysis that automatically constructs the simulation relation. This 
approach seems to work well for simple concurrent algorithms such as the Treiber stack and 
the Michael and Scott queues, where finding the linearization points may be automated 
by brute-force search m- Most recently, with their technique based on (automatically) 
rewriting implementations Dragoi et al. [6] have succeeded to extend this approach to some 
implementations with helping. Similar to their precursors, however, their approach also 
assumes the existence of static linearization points, i.e. instructions in the program code 
that when executed invariably correspond to the linearization of one or more methods. Thus, 
there are many implementations, as mentioned in the Introduction, that cannot be handled 
by this approach. 

Among this line of work, the most closely related one to this paper is the recent work 
by Abdulla et al. [Tj, who verify linearizability of stack and queue algorithms using observer 
automata that report specification violations such as our VOrd. Their approach, however, 
still requires users to annotate methods with linearization points, because checker automata 
are synchronized with the linearization points of the implementation. 

To the best of our knowledge, there exist only two earlier published proofs of the 
HW queue: (1) the original pencil-and-paper proof by Herlihy and Wing [10], and (2) a 
mechanized backward simulation proof by Schellhorn et al. m 

Both proofs are manually constructed. In comparison, our new proof is simpler, more 
modular, and automatically generated. This is largely due to the fact that we have de¬ 
composed the goal of proving linearizability into proving four simpler properties, which can 
be proved independently. This may allow one to adapt the HW queue algorithm, e.g. by 
checking emptiness of the queue and allowing deq to return NULL, and affecting only the 
proof of absence of VWit violations without affecting the correctness arguments of the other 
properties. 

Our violation conditions are arguably closer to what programmers have in mind when 
discussing concurrent data structures. Informal specifications written by programmers and 
bug reports do not mention that some method is not linearizable, but rather things like 
that values were dequeued in the wrong order. 

9. Conclusion 

We have presented a new method for checking linearizability of concurrent queues. Instead 
of searching for the linearization points and doing a monolithic simulation proof, we verify 
four simple properties whose conjunction is equivalent to linearizability with respect to the 
atomic queue specification. By decomposing linearizability proofs in this way, we obtained 
a simpler correctness proof of the Herlihy and Wing queue m, and one which can be 
produced automatically. 

We believe that our new property-oriented approach to linearizability proofs will be 
applicable to other kinds of concurrent shared data structures, such as stacks, sets, and 
maps. The generalization, however, is not entirely straightforward. In the case of stacks, 
the violations are similar to that of queues, but not exactly dual. The main difference 
is that the ordering violation for stacks is similar to VWit and not to VOrd as one might 
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expect. Similarly, the violations for set implementations are also not as simple as dropping 
the ordering constraint. Instead, we need to count the number of successful insertions and 
deletions to express what can go wrong. It remains to be seen, however, whether such 
counting arguments can yield an automatic verification technique. 
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